Privacy and Security

On August 14, 2019, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part PHI Disclosure Management webinar series. In this webinar titled “Cybersecurity in Health IT: Trend and Tips for Safeguarding PHI,” we discussed updates from the 2019 HIPAA Summit, the concept of “defense in depth,” security frameworks, top security threats and best practices for protecting your organization.

The Summit featured a panel discussion including a representative from Anthem, Inc. who spoke about the company’s cyberattack and resolution agreement, the single largest individual HIPAA settlement in history of $16 million. The breach report filed with the HHS Office for Civil Rights (OCR) indicated that cyberattackers had gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. The investigation revealed the following risk factors:

Failure to conduct an enterprise-wide risk analysis

Insufficient policies and procedures to regularly review information system activity

Failure to identify and respond to suspected or known security incidents

Defense in Depth

In the traditional sense, defense in depth means applying a layered approach to protecting your assets, including a variety of techniques and technologies. The potential for leaving gaps in protection and the adoption of newer concepts such as zero trust should be reviewed. It is important to incorporate and execute on your security frameworks and risk management programs to ensure alignment while addressing cyber risks and threats.

Security Framework

Understanding your organization’s approach to security and risk management is critical. According to NIST, an effective security framework is based on five core tenets:

Relevant Controls for HIM

We highlighted focus areas for HIM in two categories. The first is Access/Account Management which includes workforce security, information access and auditing. HIM has great visibility into these sensitive workflows along with a deep understanding of where, why and how information is being shared. They must work closely with other departments—human resources, IT and compliance to establish policies and controls that prevent improper access to PHI.

The second category is Administrative, Physical and Technical with emphasis on:

Data classification—data flow mappings and sensitivity

Roles and responsibilities—privacy, security and legal

Information security awareness—education, training and policies

Information handling—use and disposal

Physical access—secure rooms

With the rise in requests for access to PHI by payers, attorneys and patients, ensuring secure rooms for access to electronic health records is essential.

Enterprise Engagement

As providers apply new technologies, workflows and practices to gain more efficiencies and secure operations, it’s important to engage privacy, security and legal teams early in the process. Help them understand the risks and identify any necessary corrective action plans (CAPs) up front.

Resolution Agreements

In addition to lessons learned from the Anthem breach, attendees gained insights from other examples in which failure to conduct enterprise-wide risk analysis was a major contributor to cybersecurity breach. Understanding how OCR judged and accounted for those activities promotes effective privacy and security programs.

Top Cybersecurity Threats in 2019

Based on a survey of 2,400 cybersecurity and IT professionals, a recent Ponemon Institute Cyber Risk Report revealed the top five cybersecurity threats organizations are most concerned about in 2019:

Third-party misuses or shares of confidential data

An attack involving IoT or OT assets

A significant disruption to business processes caused by malware

A data breach involving 10,000 or more customer or employee records

An attack against the company’s OT infrastructure resulting in downtime to plant and/or operational equipment

As healthcare organizations face increased risk of cybersecurity breach, third-party risk management is more important than ever. Rigorous due diligence is part of the risk analysis conducted by covered entities to ensure partners have HIPAA-compliant policies in place to safeguard PHI. Whether internal or outsourced, a standardized approach to understanding third-party security frameworks and policies is recommended.

The most important lesson learned for 2019 and years to come is clear: Perform an annual risk analysis and follow best practices for creating an appropriate incident response plan.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

The April 2019 Journal of AHIMA article “What to Do (and Not Do) When Changing HIM Vendors” served as a virtual roundtable featuring the experiences of three HIM leaders who successfully navigated HIM service vendor transitions. The MRO client panelists were Cindy M. Phelps, RHIA, Sr. Director, TSG Business Relationship Management, Carilion Clinic; Sherine Koshy, MHA, RHIA, CCS, Corporate Director HIM, Penn Medicine; and Kathleen J. Edlund, M.M., RHIA, Director of HIM, Trinity Health.

Topics discussed in the roundtable included challenges, lessons learned and practical strategies that help ensure quality service and a lasting collaborative partnership. As moderator of the discussion, I had an opportunity to focus on each expert’s type of vendor transition: transcription, EHR and Release of Information (ROI).

Challenges

Choosing the right vendor can be a challenging and daunting task, especially if your current service has been in place for a long time. Whether the service being considered for outsourcing options is in-house or with another vendor, the key to a successful transition is in the planning.

Some of the common challenges that prompted the panelists’ organizations to seek a better solution were: the need to have all users on one platform, service and quality issues, communication problems and lack of client support.

Lessons Learned

From their experiences addressing the challenges listed above, each HIM expert offered lessons learned and suggestions for other organizations to consider when transitioning service vendors. Here is a summary of their recommendations:

Download the Journal of AHIMA Article

The 23rd Annual HCCA Compliance Institute provided a wonderful learning experience focused on compliance in various areas of healthcare delivery. MRO was fortunate to have several representatives attending informative sessions and engaging in meaningful conversations with other attendees.

I was pleased to have the opportunity to co-present with our client, Melissa Landry, RHIA, Assistant Vice President of Health Information Management (HIM), Ochsner Health System on “Incident Response: Best Practices in Breach Management.” We covered the following topics during our presentation:

Session Takeaways

Of the numerous breakout sessions and learning tracks I attended, there were two in particular that I found to be very informative and insightful—updates from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Center for Medicare and Medicaid Services (CMS).

OIG Update

Joanne Chiedi, Principal Deputy Inspector General, HHS OIG, provided an enlightening keynote address. Her presentation encouraged compliance professionals to be bold and take action. Chiedi shared that at this time of disruptive innovation in healthcare, compliance must engage in these innovative conversations. Here are a few of her other key points:

We cannot oversee what we do not understand. Effective oversight requires understanding how healthcare is delivered today and how it will be delivered in the future.

Give Compliance the data. If anyone in your organization has data, Compliance should have access to it.

Compliance and innovation must advance together. Compliance can and should play a big part in getting innovation right in healthcare.

This presentation offered a comprehensive overview of the current healthcare ecosystem along with a description of the role compliance professionals play in upholding quality standards and processes.

CMS Update

Kimberly Brandt, Principal Deputy Administrator for Operations, CMS, joined the conference to deliver this update. Here is a preview of announcements that we can expect from CMS:

Patients over Paperwork

Interoperability and MyHealthEData

Opioid Epidemic

Program Integrity

This presentation provided attendees with the inside scoop and a great overview of what is on the horizon with CMS.

Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI through new technology and HIPAA-compliant policies and procedures.

In MRO’s upcoming webinar “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps. This session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain. Secure your spot today by registering here.

Request HCCA Incident Response Breach Management Slides

During Health Information Professionals (HIP) Week, MRO enjoys celebrating our Health Information Management (HIM) partners and staff, who perform their duties masterfully throughout the year. We have the pleasure of working with the industry’s most dedicated professionals whose expertise upholds high standards of integrity.

MRO’s expert Protected Health Information (PHI) disclosure management teams equip our HIM partners with the safeguards, services and resources needed to sustain a superior reputation for compliance, service quality and patient satisfaction. Resources include guidance from renowned industry experts, along with passionate teams of Release of Information (ROI) specialists eager to provide high levels of customer care.

HIM’s Everyday Heroes

At MRO, our mission is simple. We aim to share the right PHI with the right requesting parties, in the most compliant, efficient and secure way. And, we do more than share medical records. We make a difference in the lives of patients—sometimes we even save lives.

The work of HIM matters, especially Release of Information. Proper ROI enables better coordination of care, helps patients secure disability benefits, and supports patients through insurance claims or lawsuits when medical records are required. The fast and accurate sharing of medical records can make a lasting impact for a patient in need.

Many MRO employees have been recognized as personal heroes to patients and other requesters of health information whom we have had the privilege of helping. They email us, send cards and gifts, and make phone calls to share their positive experiences with MRO. We regularly highlight these exceptional HIM professionals in an employee development and recognition program fittingly called MRO’s “Everyday Heroes.” We are proud to have our heroes serving over 8,500 healthcare locations and their patients across the U.S.

HIM Expert Resources

HIM leaders at many of the nation’s top health systems trust and rely on MRO’s KLAS-rated #1 Release of Information services and team of renowned experts. Our leadership team was skillfully assembled to provide our HIM partners with the best guidance and support possible, as together we navigate the complex world of compliant PHI disclosure.

Throughout the next year, you will have the opportunity to learn more about MRO’s experts in advertisements appearing on the back cover of the Journal of AHIMA. Each issue will feature a different expert resource provided to MRO clients.

Just released, the April issue of the Journal features MRO’s Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy. An HIM superstar and Past President of AHIMA, Rita has over 40 years of experience and expertise. She and her team empower HIM professionals through consultative reviews of PHI disclosure policies and procedures, privacy analytics, and a variety of HIPAA compliance resources and tools. Be sure to check out each issue of the Journal and visit our accompanying website to learn more about MRO’s HIM experts.

As we move into 2019, it is important for healthcare professionals to stay up to date on the latest trends and best practices for managing Protected Health Information (PHI) disclosure across healthcare enterprises.

In MRO’s upcoming 2019 “Best Practices in PHI Disclosure Management” webinar series, the latest trends and best practices for organizations to consider will be covered. There are four parts to this webinar series, and each session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics in our webinar series, which MRO’s subject matter experts will go into more detail. To register, click here.

1) The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense
Payer requests for medical records are challenging, time-consuming undertakings for healthcare organizations, typically requiring the release of hundreds or thousands of patient records. MRO’s payer relations expert Greg Ford, Senior Director of Requester Relations and Receivables Administration, will share tips and best practices to shore up your defenses against the rising tide of payer requests for medical records.

2) Enterprise-Wide Disclosure Management: Closing the Compliance Gaps
Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits, and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI by implementing new technology and HIPAA-compliant policies and procedures. In this webinar, I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps.

3) Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI
In an era of evolving cybersecurity threats, healthcare leaders are challenged to be vigilant in their efforts to minimize risk and implement new, robust safeguards to protect the privacy and security of patient data. MRO’s security expert Anthony Murray, CISSP, Vice President of Information Technology and ISSO, and I will provide best practices for safeguarding PHI across your healthcare enterprise.

4) Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope
The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding clarification for healthcare providers, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in rising challenges for healthcare providers. MRO’s legal expert Danielle Wesley, Esq., Vice President and General Counsel, and I will provide clarity on the topic and cover strategies and tactics for combatting the related issues.

Register today for our first webinar, on the topic The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense.

Register for "The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense"

What is HITRUST?

Founded in 2007, the Health Information Trust Alliance (HITRUST) evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.

For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.

HITRUST regularly updates the CSF to incorporate new standards and regulations to make sure the framework remains relevant and current. As new regulations and security risks are introduced, provider organizations and third parties that adhere to the CSF can be well prepared with optimal security based on quarterly updates and annual audit changes.

Why HITRUST Is Important to BA Risk Management

As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their Business Associates (BAs) is critical. Conducting due diligence is essential before the partnership begins, and is part of the provider’s ongoing risk analysis to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI). In recent years, many provider organizations have incorporated the HITRUST CSF as part of their third-party assurance process—requiring that BAs obtain CSF certification. This is largely due to the increased number of breaches involving third-party vendors.

Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.

With those priorities top of mind, MRO announced in May 2018 that its Release of Information platform ROI Online® had earned HITRUST CSF Certified status for information security. HITRUST incorporates a risk-based approach that includes federal and state regulations and standards to help organizations address challenges through a comprehensive framework of prescriptive and scalable security controls.

As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is already in place.

On November 7, 2018, I joined my colleagues Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services, and Anthony Murray, CISSP, Vice President of Information Technology, to present the fourth and final installment of MRO’s healthcare compliance webinar series. In this webinar titled “Healthcare Privacy and Security—Predictions for 2019,” we highlighted privacy and security trends and predictions to help Health Information Management (HIM) and other healthcare leaders navigate compliance in the coming year.

Patient-Directed Requests

Attorney misinterpretation of patient-directed requests (PDRs) was front and center in 2018 and will continue to require clarification and guidance in 2019. When the validity of a PDR is questionable, the patient should be contacted to clarify and confirm consent. Here are additional strategies for handling attorney requests submitted under the guise of a PDR:

Inform your state legislators of this questionable attorney behavior

Discuss the issue with HIM peers in your area

Hold meetings with your OCR representative to determine the best course of action

Question and verify (with the patient) any suspicious PDR

We welcome a dialogue with the Office for Civil Rights (OCR) for clarification of the guidance to ensure requests are made for the purpose of assisting the patient with continuity of care—the original intent of the guidance. At MRO, we use the criteria provided by the guidance. The request must be made by the patient, written in the first person and signed by the patient. It must clearly state who is to receive the information and provide the address of that person.

Global Data Protection Rule (GDPR)

Released in May 2018 in the EU, the GDPR provided information on breach protection and response, which could affect guidance in the U.S. regarding notification timelines, documentation controls and data protection rules. The focus in 2019 will likely increase, prompting healthcare organizations to determine changes needed to strengthen privacy and security programs. Also, be aware of state action that is patterning to this rule.

Increased Information Collection

Technology will continue to advance through 2019—becoming faster and safer. With more apps and sophisticated technology, patients must be able to trust that their data is safe and secure. Here are several considerations:

What data will you protect?

What policies and procedures need to be reviewed?

Do you have a complete inventory of your data?

Digital mobile engagement is center stage—wearable devices, home monitors, patient portals, patient generated health data (PGHD) and ongoing technology innovation. The goal is for patients to have a connected, fluid experience throughout the healthcare journey.

Increased Access to Care

The patient experience has changed over the past several decades—from the focus on where patients receive care to where patients search for and choose to receive care. Increased access to care includes urgent care, virtual care, retail settings and nontraditional players such as Amazon and Google. All use some type of technology involving Protected Health Information (PHI) that must be documented and protected.

Population Health, Data and Analytics

Total consumer health requires awareness of educational needs, especially considering the aging population and proactive management of healthcare. Consumers will benefit from initiatives that promote informed decision-making through awareness of available resources and rights regarding PHI. Those efforts demand emphasis on data collection, protection and analytics to improve population health and ensure compliance.

AHIMA’s Vision for 2019

AHIMA recently released its vision for 2019 as the year of transformation. Based on a back-to-basics strategy, AHIMA will emphasize core strengths and services to move HIM forward:

The top three drivers will be security risks, business needs and evolving industry changes.

Technology and Cybersecurity

In 2019, advancements in technology will remain centered on interoperability and cybersecurity. Interoperability is critical to patient engagement and optimal EHR investment required for proper PHI disclosure management.

Additionally, cybersecurity must be a top priority to ensure effective information security programs. Organizations must clarify policies regarding:

Risk assessments versus gap assessments

Incident response

External support

Business Associates

Third-party assessments

Certifications, audits, standards

The evolution of cybersecurity threats means increasingly sophisticated ransomware and other attacks including cryptojacking and whaling. In case of a technology incident, the best strategy is a layered security model to protect, detect, identify and respond.

To learn more about privacy and security predictions for 2019, fill out the form below to receive a copy of this webinar.

AHIMA’s 2018 Privacy, Cybersecurity and Information Governance (PCIG) Institute took place September 22-23 at the 2018 AHIMA National Convention & Exhibit in Miami. True to its aim to enhance knowledge regarding current trends and issues, the event focused on protecting patient information across all healthcare settings and business operations—essential to ensuring patients’ trust in our healthcare system. Protected Health Information (PHI) disclosure management is at the heart of building that trust—and Information Governance (IG) is a critical component.

Most attendees indicated their organizations were either at Level 2 or somewhere between Levels 2 and 3—making limited progress and beginning to define policies. This feedback means there’s much work to be done within the HIM domain to successfully measure and achieve IG maturity.

PHI Disclosure Management and IG Connection

A common question posed to HIM leaders on this topic is: What is the relationship between PHI disclosure and IG? First of all, proper disclosure of PHI cannot be achieved without adherence to IG principles—particularly privacy and security. AHIMA describes IG as an enterprise-wide framework for managing information throughout its lifecycle—from the inception of a patient’s record to its eventual destruction. An analogy that comes to mind is the story of a person’s life, the stewardship required from birth to death.

From an IG perspective, HIM professionals must know where information originates, where it flows, how it is released, when it dies—and all risk factors along the way. In our experience, one of the most critical areas of risk is the business office. Implementation of a centralized, enterprise-wide approach to PHI disclosure—aligned with IG principles—reduces risk related to ROI practices.

Modern Age of ROI Roundtable

Following the two-day PCIG institute, I joined my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and other experts to discuss Release of Information (ROI) challenges and best practices during the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?”

The hottest topic that emerged was patient-directed requests. Many in the industry are seeing inappropriate attorney behavior such as having the patient sign a blank form that the attorney then uses to request patient information. When a form is questionable, the patient should be contacted to clarify and confirm consent.

A valid patient-directed request must clearly reflect the patient’s intent—type of information requested, who should receive the information, for what purpose and method of delivery.

HIM Leadership

Overall, the PCIG Institute, ROI Roundtable and many other informative sessions during the AHIMA Convention reaffirmed that HIM professionals play a crucial role in promoting stronger privacy, security and Information Governance. Trust in the healthcare system depends on our leadership.

As moderator of the discussion, I had an opportunity to explore valuable insights gained from their experiences along the journey to enterprise-wide Protected Health Information (PHI) disclosure management. Here is a summary of common challenges they faced and successful strategies guided by Information Governance (IG) principles.

Common Challenges

As integrated health systems grow through partnerships and acquisitions, one of the most significant challenges is managing multiple points of PHI disclosure during the Release of Information (ROI) process. Keeping up with evolving regulations requires evaluation of ROI requirements including ongoing review of policies and procedures with a goal of establishing standardized, compliant processes across the enterprise. This has become even more critical with the rise in small breaches, often due to errors in ROI.

With any major process change, some resistance can be expected. Not everyone will be on board to hand off ROI responsibilities. Reluctance to make the transition to enterprise-wide disclosure is often related to loss of control and personal touch, particularly in physician practices. Communicating the benefits to all departments and practices is critical to the success of a centralized, enterprise approach.

Six Successful Strategies—People, Processes and Technology

Overall, the combination of policies and procedures supporting legal medical record content, consistent record retention and standardized workflows enables the implementation of enterprise-wide PHI disclosure. Establishing compliant ROI practices aligned with IG concepts must be a top priority to reduce liabilities and protect patient information.

Here are six strategies for HIM professionals to initiate, support or sustain enterprise-wide PHI disclosure management:

Engage executive leadership, including compliance, privacy and legal teams. Present a business case for enterprise-wide ROI, with emphasis on the benefits of centralization including cost savings, compliance and patient satisfaction.

Proactively address PHI disclosure management in the acquisition and partnership strategy. Create a consistent approach to managing any ROI transition.

Consider your available human, technical and system resources. Evaluate the ability to implement a model that is self-sufficient, outsourced or a combination of the two options.

Create an enterprise-wide inventory of health records/designated record sets. Include the format, locations and retention timeframe.

Determine the right balance of onsite versus remote management. Create a standard list of common documents requested by patients as a guide to onsite processing.

Establish a collaborative relationship with your ROI vendor partner. Work together to develop and sustain a PHI disclosure management process. Having a dedicated ROI team supports the commitment to provide accurate and timely records to customers and patients.

To download a PDF copy of the full Journal of AHIMA article, complete the form on this page.

MRO at AHIMA Convention & Exhibit

To meet MRO’s teams and network with HIM peers using our services, visit us at the upcoming AHIMA Convention & Exhibit in Miami, September 22-26. Review a list of MRO events in advance to learn more about where you can find us during the convention. Highlighting Monday’s agenda is the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?” where my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and I will join other experts in the field to discuss ROI challenges and best practices. We look forward to seeing you there!

Receive a copy of the full Journal of AHIMA article

On August 15, 2018, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part healthcare compliance webinar series. In this webinar titled “Cybersecurity: Protecting Your Healthcare Enterprise,” we covered points that healthcare organizations should consider to safeguard Protected Health Information (PHI) and increase their overall security posture.

Access Management

Policies and Procedures

HIPAA requires a number of administrative safeguards to protect PHI, specifically ePHI. Policies and procedures must be in place to ensure implementation and maintenance of appropriate protection.

• Workforce security is a critical piece to guide the proper use of PHI by anyone who is allowed access—including physicians, employees, volunteers and BAs.
• Information access authorization specifies who has access and why, based on minimum necessary guidelines.
• Ongoing security training supports accountability and access management.

Threat Prevention, Detection and Response

Prevention

Even with the most advanced technology, granting people access to systems remains one of the highest risks of introducing the possibility of serious incident. Attendees were reminded that policies and technologies must have additional controls in place:

If something goes awry, it is important to have alert mechanisms in place—automated, manual or a combination of the two. For example, manual alerting includes 24-hour hotlines to report suspicious behavior. Technology applications such as FairWarning automatically trigger alerts to potential privacy violations. System log reviews are a good indicator of behavioral anomalies. Best practice is to leverage technology to automate data protection and ensure proper detection.

Response

In the event of an alert across the enterprise, a tested and documented incident response plan is necessary to ensure immediate response to a breach. The plan should include defined roles and responsibilities, testing scenarios and cyber insurance impacts. How will your organization ensure breach prevention considering the penalties being levied for high-exposure incidents?

At MRO, we have a dedicated incident response team. Part of their responsibility is to know state specifications, timeline controls and documentation requirements for proper reporting to the right people at the right time.

Information Governance

Information Governance is integral to an effective data security program. Incident response should be part of an enterprise information governance program—policies, procedures, tools and techniques that an organization applies to safeguard information and systems. Data classification and data mapping are essential tools to guide system impact assessments. Think about how and where your data goes and the importance of protection throughout its life cycle in your custody.

Risk Register

A risk register is a vital tool that lists all identified risks along with your organization’s risk score, responses, triggers, consequences and related information. Unlike a one-and-done document, this register is a fluid living document that must be constantly updated to reflect an accurate assessment of risk management and your security posture.

Cyber Extortion

With ransomware on the rise, user awareness training is more important than ever before. Additional protection measures include a formal ransomware policy and use of sophisticated technology to minimize attacks. Attendees received insights based on various types of cyber extortion including email and texting, along with examples of protection activities to promote cybersecurity.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.